[Static Analysis] Dereference of null return value in BinASTParser::parseBlockStatementAux

RESOLVED FIXED in Firefox 59

Status

()

enhancement
P1
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: andi, Assigned: andi)

Tracking

(Blocks 1 bug, {coverity})

Trunk
mozilla59
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox59 fixed)

Details

(Whiteboard: CID 1426305)

Attachments

(1 attachment)

A possible null pointer dereference can occur in the following context:

>>    // In case of absent optional fields, inject default values.
>>    if (!body)
>>        body = factory_.newStatementList(tokenizer_->pos());
>>
>>   MOZ_TRY_VAR(body, appendDirectivesToBody(body, directives));


I think we can avoid this by packing | newStatementList | call with TRY_DECL.
Comment on attachment 8937418 [details]
Bug 1425826 - prevent null pointer dereference in BinASTParser::parseBlockStatementAux.

https://reviewboard.mozilla.org/r/208092/#review214458

r=me with the one comment addressed.

::: js/src/frontend/BinSource.cpp:338
(Diff revision 1)
>          }
>      }
>  
>      // In case of absent optional fields, inject default values.
>      if (!body)
> -        body = factory_.newStatementList(tokenizer_->pos());
> +        TRY_DECL(body, factory_.newStatementList(tokenizer_->pos()));

This seems like it would be a syntax error. Does it compile?

I think it needs to be `TRY_VAR` instead of `TRY_DECL`.
Attachment #8937418 - Flags: review?(jorendorff) → review+
Priority: -- → P1
Pushed by bpostelnicu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4d07f50ba637
prevent null pointer dereference in BinASTParser::parseBlockStatementAux. r=jorendorff
https://hg.mozilla.org/mozilla-central/rev/4d07f50ba637
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
You need to log in before you can comment on or make changes to this bug.